Logging Best Practices

Effective logging captures meaningful traffic patterns and security events. Tracking too many rules increases log size, disk usage, and management overhead.

Key Principles

• Risk-Based Logging: Base your logging requirements on risk assessment and the criticality of protected assets. High-risk or critical systems typically require comprehensive logging of both traffic and security events.

• Context Sensitivity: Appropriate logging depends on your environment and business needs. Focus on events that provide actionable insights, support security operations and help understand user behavior.

Recommendations for Balancing Visibility and Efficiency

• Log Rules that Add Value

  • Critical Security Events

    • Access Control rules that protect critical business assets.

    • Explicit drop rules when log statistics support anomaly detection or automation systems, such as Infinity XDR and Playblocks.

    • Authentication events (Remote Access, VPN, Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.) in which user and device-related information is needed for auditing and reporting.

  • Traffic Metadata

    • Source and destination IP addresses, ports, and protocols.

    • Application names for Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. rules

    • Threat Prevention policies, such as IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)., Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.). Logging is important in these cases to support Threat Intelligence and event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. management solutions, such as Infinity XDR, Playblocks and Threat Prevention Policy Insights

• Avoid Unnecessary Logging

  For example:
  

  • Consider whether it is necessary to log outbound DNS in your Access Control policy. Keep in mind that if Anti-Bot is enabled, Threat Prevention inspects DNS traffic, and the Threat Prevention logs record any associated security events.

  • Only enable Accounting on rules where traffic volume visibility is required, as Accounting consumes additional Log Server Dedicated Check Point server that runs Check Point software to store and process logs. quota.

  • Enable logging for cleanup rules only when necessary, such as for troubleshooting.